[24185] in bugtraq
RE: MSN Messenger and UDP 1900
daemon@ATHENA.MIT.EDU (Dustin Miller)
Fri Feb 8 01:30:25 2002
From: "Dustin Miller" <dustin@fusewerx.com>
To: "'Louie Martinez'" <louie@kopykake.com>, <bugtraq@securityfocus.com>
Date: Wed, 6 Feb 2002 10:21:33 -0600
Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAdYQwPrEE6Uib+Hz0W5HktuKCAAAQAAAAbVvTfofa1UOqYP8iiJEZsQEAAAAA@fusewerx.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <5.1.0.14.2.20020205175016.00b5eec0@pop.business.earthlink.net>
MSN Messenger communicates using UPNP to try to auto-detect any
UPNP-compliant firewalls/routers you may have. Ostensibly, NAT/Firewall
devices that support UPNP will allow file transfers, voice and audio
communications so MSN Messenger polls for them to autoconfigure itself
and the NAT/Firewall device to support these transfer types.
Dustin Miller, President
FuseWerx LTD
http://www.fusewerx.com/
-----Original Message-----
From: Louie Martinez [mailto:louie@kopykake.com]
Sent: Tuesday, February 05, 2002 8:15 PM
To: bugtraq@securityfocus.com
Subject: MSN Messenger and UDP 1900
I had noticed I had been getting these curious entries in my logfile on
my
linux box which is set up as a firewall. (I use Shorewall to manage
IPTables)
Feb 5 17:37:07 firewall kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=
MAC=00:a0:cc:3f:64:00:00:e0:7d:b8:78:72:08:00 SRC=192.
168.1.18 DST=192.168.1.1 LEN=160 TOS=0x00 PREC=0x00 TTL=128 ID=1638
PROTO=UDP SPT=1148 DPT=1900 LEN=140
Feb 5 17:42:04 firewall kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=
MAC=00:a0:cc:3f:64:00:00:02:e3:11:b7:cc:08:00 SRC=192.
168.1.4 DST=192.168.1.1 LEN=160 TOS=0x00 PREC=0x00 TTL=128 ID=5080
PROTO=UDP SPT=1211 DPT=1900 LEN=140
These happen to be Windows XP machines. The curious part is that I have
properly disabled UPnP and SSDP Discovery on both system.
With some investigating I managed to view the payload of the mysterious
UDP
packet.
M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
MAN: "ssdp:discover"
MX: 3
ST: urn:schemas-upnp-org:service:WANIPConnection:1
Anyway after even further investigation it seems that these mysterious
packets are only sent if MSN messenger is launched. You don't even have
to
be logged into your MSN Messenger account. As long as it's sitting in
your
system tray, these packets seem to be sent every 10 to 15 seconds on
machines with active MSN accounts and every 5 minutes or so on machines
that haven't set up an MSN Messenger acount but still leave it sitting
in
the system tray.
If anyone else can confirm this or know why MSN wants to talk like a
UPnP
device, I'd be appreciative to hear from you.
